Add ClientHello parsing and CRYPTO frame reassembly

Author: sippejw

core/src/protocols/stream/quic/crypto.rs

@@ -1,4 +1,7 @@
-// This is heavily based on Cloudflare's Rust implementation of QUIC, known as Quiche.
+// crypto.rs contains the cryptograpic functions needed to derive QUIC
+// initial keys. These keys can be used to remove header protection and
+// decrypt QUIC initial packets. This file is heavily based on Cloudflare's
+// crypto module in their Rust implementation of QUIC, known as Quiche.
 // Therefore, the original license from https://github.com/cloudflare/quiche/blob/master/quiche/src/crypto/mod.rs is below:
 
 // Copyright (C) 2018-2019, Cloudflare, Inc.
@@ -35,8 +38,12 @@ use crypto::aes_gcm::AesGcm;
 use ring::aead;
 use ring::hkdf;
 
+use crate::protocols::stream::quic::parser::QuicVersion;
 use crate::protocols::stream::quic::QuicError;
 
+// The algorithm enum defines the available
+// cryptographic algorithms used to secure
+// QUIC packets.
 #[derive(Copy, Clone, Debug)]
 pub enum Algorithm {
     AES128GCM,
@@ -80,6 +87,9 @@ impl Algorithm {
     }
 }
 
+// The Open struct gives a return value
+// that contains all of the components
+// needed for HP removal and decryption
 pub struct Open {
     alg: Algorithm,
 
@@ -192,13 +202,32 @@ pub fn calc_init_keys(cid: &[u8], version: u32) -> Result<[Open; 2], QuicError>
 }
 
 fn derive_initial_secret(secret: &[u8], version: u32) -> hkdf::Prk {
-    const INITIAL_SALT: [u8; 20] = [
+    const INITIAL_SALT_RFC9000: [u8; 20] = [
         0x38, 0x76, 0x2c, 0xf7, 0xf5, 0x59, 0x34, 0xb3, 0x4d, 0x17, 0x9a, 0xe6, 0xa4, 0xc8, 0x0c,
         0xad, 0xcc, 0xbb, 0x7f, 0x0a,
     ];
 
-    let salt = match version {
-        _ => &INITIAL_SALT,
+    const INITIAL_SALT_RFC9369: [u8; 20] = [
+        0x0d, 0xed, 0xe3, 0xde, 0xf7, 0x00, 0xa6, 0xdb, 0x81, 0x93, 0x81, 0xbe, 0x6e, 0x26, 0x9d,
+        0xcb, 0xf9, 0xbd, 0x2e, 0xd9,
+    ];
+
+    const INITIAL_SALT_DRAFT29: [u8; 20] = [
+        0xaf, 0xbf, 0xec, 0x28, 0x99, 0x93, 0xd2, 0x4c, 0x9e, 0x97, 0x86, 0xf1, 0x9c, 0x61, 0x11,
+        0xe0, 0x43, 0x90, 0xa8, 0x99,
+    ];
+
+    const INITIAL_SALT_DRAFT27: [u8; 20] = [
+        0xc3, 0xee, 0xf7, 0x12, 0xc7, 0x2e, 0xbb, 0x5a, 0x11, 0xa7, 0xd2, 0x43, 0x2b, 0xb4, 0x63,
+        0x65, 0xbe, 0xf9, 0xf5, 0x02,
+    ];
+
+    let salt = match QuicVersion::from_u32(version) {
+        QuicVersion::Rfc9000 => &INITIAL_SALT_RFC9000,
+        QuicVersion::Rfc9369 => &INITIAL_SALT_RFC9369,
+        QuicVersion::Draft29 => &INITIAL_SALT_DRAFT29,
+        QuicVersion::Draft27 | QuicVersion::Draft28 | QuicVersion::Mvfst27 => &INITIAL_SALT_DRAFT27,
+        _ => &INITIAL_SALT_RFC9000,
     };
 
     let salt = hkdf::Salt::new(hkdf::HKDF_SHA256, salt);

core/src/protocols/stream/quic/frame.rs

@@ -2,6 +2,7 @@
 // Implemented per RFC 9000: https://datatracker.ietf.org/doc/html/rfc9000#name-frame-types-and-formats
 
 use serde::Serialize;
+use std::collections::BTreeMap;
 
 use crate::protocols::stream::quic::QuicError;
 use crate::protocols::stream::quic::QuicPacket;
@@ -23,7 +24,6 @@ pub enum QuicFrame {
     },
     Crypto {
         offset: u64,
-        data: Vec<u8>,
     },
 }
 
@@ -46,8 +46,9 @@ pub struct EcnCounts {
 
 impl QuicFrame {
     // parse_frames takes the plaintext QUIC packet payload and parses the frame list
-    pub fn parse_frames(data: &[u8]) -> Result<Vec<QuicFrame>, QuicError> {
+    pub fn parse_frames(data: &[u8]) -> Result<(Vec<QuicFrame>, Vec<u8>), QuicError> {
         let mut frames: Vec<QuicFrame> = Vec::new();
+        let mut crypto_map: BTreeMap<u64, Vec<u8>> = BTreeMap::new();
         let mut offset = 0;
         // Iterate over plaintext payload bytes, this is a list of frames
         while offset < data.len() {
@@ -209,16 +210,26 @@ impl QuicFrame {
                     )?)? as usize;
                     offset += crypto_len_len;
                     // Parse data
-                    let crypto_data = QuicPacket::access_data(data, offset, offset + crypto_len)?;
+                    let crypto_data =
+                        QuicPacket::access_data(data, offset, offset + crypto_len)?.to_vec();
+                    crypto_map.entry(crypto_offset).or_insert(crypto_data);
                     frames.push(QuicFrame::Crypto {
                         offset: crypto_offset,
-                        data: crypto_data.to_vec(),
                     });
                     offset += crypto_len;
                 }
                 _ => return Err(QuicError::UnknownFrameType),
             }
         }
-        Ok(frames)
+        let mut reassembled_crypto: Vec<u8> = Vec::new();
+        let mut expected_offset: u64 = 0;
+        for (crypto_offset, crypto_data) in crypto_map {
+            if crypto_offset != expected_offset {
+                return Err(QuicError::MissingCryptoFrames);
+            }
+            reassembled_crypto.extend(crypto_data);
+            expected_offset = reassembled_crypto.len() as u64;
+        }
+        Ok((frames, reassembled_crypto))
     }
 }

core/src/protocols/stream/quic/mod.rs

@@ -26,6 +26,8 @@ pub use self::header::{QuicLongHeader, QuicShortHeader};
 use frame::QuicFrame;
 use header::LongHeaderPacketType;
 use serde::Serialize;
+
+use super::tls::ClientHello;
 pub(crate) mod crypto;
 pub(crate) mod frame;
 pub(crate) mod header;
@@ -44,10 +46,12 @@ pub enum QuicError {
     CryptoFail,
     FailedHeaderProtection,
     UnknownFrameType,
+    TlsParseFail,
+    MissingCryptoFrames,
 }
 
 /// Parsed Quic Packet contents
-#[derive(Debug, Serialize, Clone)]
+#[derive(Debug, Serialize)]
 pub struct QuicPacket {
     /// Quic Short header
     pub short_header: Option<QuicShortHeader>,
@@ -59,6 +63,8 @@ pub struct QuicPacket {
     pub payload_bytes_count: Option<u64>,
 
     pub frames: Option<Vec<QuicFrame>>,
+
+    pub tls: Option<ClientHello>,
 }
 
 impl QuicPacket {

core/src/protocols/stream/quic/parser.rs

@@ -8,11 +8,13 @@ use crate::protocols::stream::quic::header::{
     LongHeaderPacketType, QuicLongHeader, QuicShortHeader,
 };
 use crate::protocols::stream::quic::{QuicError, QuicPacket};
+use crate::protocols::stream::tls::{ClientHello, Tls};
 use crate::protocols::stream::{
     ConnParsable, ConnState, L4Pdu, ParseResult, ProbeResult, Session, SessionData,
 };
 use byteorder::{BigEndian, ByteOrder};
 use std::collections::HashMap;
+use tls_parser::parse_tls_message_handshake;
 
 #[derive(Default, Debug)]
 pub struct QuicParser {
@@ -31,7 +33,7 @@ impl ConnParsable for QuicParser {
         }
 
         if let Ok(data) = (pdu.mbuf_ref()).get_data_slice(offset, length) {
-            self.process(data)
+            self.process(data, pdu)
         } else {
             log::warn!("Malformed packet on parse");
             ParseResult::Skipped
@@ -103,19 +105,28 @@ impl ConnParsable for QuicParser {
 
 /// Supported Quic Versions
 #[derive(Debug, PartialEq, Eq, Hash)]
-enum QuicVersion {
+#[repr(u32)]
+pub enum QuicVersion {
     ReservedNegotiation = 0x00000000,
     Rfc9000 = 0x00000001, // Quic V1
     Rfc9369 = 0x6b3343cf, // Quic V2
+    Draft27 = 0xff00001b, // Quic draft 27
+    Draft28 = 0xff00001c, // Quic draft 28
+    Draft29 = 0xff00001d, // Quic draft 29
+    Mvfst27 = 0xfaceb002, // Facebook Implementation of draft 27
     Unknown,
 }
 
 impl QuicVersion {
-    fn from_u32(version: u32) -> Self {
+    pub fn from_u32(version: u32) -> Self {
         match version {
             0x00000000 => QuicVersion::ReservedNegotiation,
             0x00000001 => QuicVersion::Rfc9000,
             0x6b3343cf => QuicVersion::Rfc9369,
+            0xff00001b => QuicVersion::Draft27,
+            0xff00001c => QuicVersion::Draft28,
+            0xff00001d => QuicVersion::Draft29,
+            0xfaceb002 => QuicVersion::Mvfst27,
             _ => QuicVersion::Unknown,
         }
     }
@@ -168,7 +179,7 @@ impl QuicPacket {
     }
 
     /// Parses Quic packet from bytes
-    pub fn parse_from(data: &[u8], cnt: usize) -> Result<QuicPacket, QuicError> {
+    pub fn parse_from(data: &[u8], cnt: usize, dir: bool) -> Result<QuicPacket, QuicError> {
         let mut offset = 0;
         let packet_header_byte = QuicPacket::access_data(data, offset, offset + 1)?[0];
         offset += 1;
@@ -239,7 +250,7 @@ impl QuicPacket {
                     offset += packet_len_len;
                     if cnt == 0 {
                         // Derive initial keys
-                        let [client_opener, server_opener] = calc_init_keys(dcid_bytes, version)?;
+                        let [client_opener, _server_opener] = calc_init_keys(dcid_bytes, version)?;
                         // Calculate HP
                         let sample_len = client_opener.sample_len();
                         let hp_sample =
@@ -274,7 +285,9 @@ impl QuicPacket {
                         offset += cipher_text_len;
                         // Parse auth tag
                         let tag = QuicPacket::access_data(data, offset, offset + tag_len)?;
-                        offset += tag_len;
+                        // Commenting out the offset increase for tag_len to make clippy happy
+                        // Will be needed when handling multiple QUIC packets in single datagram
+                        // offset += tag_len;
                         // Reconstruct authenticated data
                         let mut ad = Vec::new();
                         ad.append(&mut [unprotected_header].to_vec());
@@ -334,12 +347,22 @@ impl QuicPacket {
                 }
             }
 
-            let frames: Option<Vec<QuicFrame>>;
+            let mut frames: Option<Vec<QuicFrame>> = None;
+            let mut ch: Option<ClientHello> = None;
             // If decrypted payload is not None, parse the frames
             if let Some(frame_bytes) = decrypted_payload {
-                frames = Some(QuicFrame::parse_frames(&frame_bytes)?);
-            } else {
-                frames = None;
+                let (q_frames, ch_bytes) = QuicFrame::parse_frames(&frame_bytes)?;
+                frames = Some(q_frames);
+                match parse_tls_message_handshake(&ch_bytes) {
+                    Ok((_, msg)) => {
+                        let mut tls = Tls::new();
+                        tls.parse_message_level(&msg, dir);
+                        if let Some(client_hello) = tls.client_hello {
+                            ch = Some(client_hello);
+                        }
+                    }
+                    Err(_) => return Err(QuicError::TlsParseFail),
+                }
             }
 
             Ok(QuicPacket {
@@ -358,6 +381,7 @@ impl QuicPacket {
                     retry_tag,
                 }),
                 frames,
+                tls: ch,
             })
         } else {
             // Short Header
@@ -378,14 +402,15 @@ impl QuicPacket {
                 long_header: None,
                 payload_bytes_count,
                 frames: None,
+                tls: None,
             })
         }
     }
 }
 
 impl QuicParser {
-    fn process(&mut self, data: &[u8]) -> ParseResult {
-        if let Ok(quic) = QuicPacket::parse_from(data, self.cnt) {
+    fn process(&mut self, data: &[u8], pdu: &L4Pdu) -> ParseResult {
+        if let Ok(quic) = QuicPacket::parse_from(data, self.cnt, pdu.dir) {
             let session_id = self.cnt;
             self.sessions.insert(session_id, quic);
             self.cnt += 1;

core/src/subscription/quic_stream.rs

@@ -121,7 +121,7 @@ impl Trackable for TrackedQuic {
 
     fn on_match(&mut self, session: Session, subscription: &Subscription<Self::Subscribed>) {
         if let SessionData::Quic(quic) = session.data {
-            let mut quic_clone = (*quic).clone();
+            let mut quic_clone = *quic;
 
             if let Some(long_header) = &quic_clone.long_header {
                 if long_header.dcid_len > 0 {

traces/README.md

@@ -2,8 +2,9 @@
 
 A collection of sample packet captures pulled from a variety of sources. 
 
-| Trace              | Source                                                                        | Description                                                                                                     |
-|--------------------|-------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------|
-| `small_flows.pcap` | [Tcpreplay Sample Captures](https://tcpreplay.appneta.com/wiki/captures.html) | A synthetic combination of a few different applications and protocols at a relatively low network traffic rate. |
-| `tls_ciphers.pcap` | [Wireshark Sample Captures](https://wiki.wireshark.org/SampleCaptures)        | OpenSSL client/server GET requests over TLS 1.2 with 73 different cipher suites.                                |
-| `quic_retry.pcapng`| [Wireshark Issue](https://gitlab.com/wireshark/wireshark/-/issues/18757)      | An example of a QUIC Retry Packet. Original Pcap modified to remove CookedLinux and add Ether                   |
+| Trace              | Source                                                                                                      | Description                                                                                                     |
+|--------------------|-------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------|
+| `small_flows.pcap` | [Tcpreplay Sample Captures](https://tcpreplay.appneta.com/wiki/captures.html)                               | A synthetic combination of a few different applications and protocols at a relatively low network traffic rate. |
+| `tls_ciphers.pcap` | [Wireshark Sample Captures](https://wiki.wireshark.org/SampleCaptures)                                      | OpenSSL client/server GET requests over TLS 1.2 with 73 different cipher suites.                                |
+| `quic_retry.pcapng`| [Wireshark Issue](https://gitlab.com/wireshark/wireshark/-/issues/18757)                                    | An example of a QUIC Retry Packet. Original Pcap modified to remove CookedLinux and add Ether                   |
+| `quic_xargs.pcap`  | [illustrated-quic GitHub](https://github.com/syncsynchalt/illustrated-quic/blob/main/captures/capture.pcap) | The pcap used in the creation of [The Illustrated QUIC Connection](https://quic.xargs.org).                     |